Assertion failure: fe->isType(type), at methodjit/Compiler.cpp:7623

VERIFIED FIXED in Firefox 18

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, sec-critical, testcase})

Trunk
mozilla18
x86_64
Linux
assertion, sec-critical, testcase
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox15 wontfix, firefox16 wontfix, firefox17 wontfix, firefox18 fixed, firefox19 fixed, firefox20 fixed, firefox-esr10 unaffected, firefox-esr1718+ fixed)

Details

(Whiteboard: [jsbugmon:verify-branch=mozilla-esr17,ignore][adv-main18+][adv-esr17+])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following test asserts on mozilla-central revision ad7963c93bd8 (options -m -a -n):


try {
a = []
function f(o) {
    o[5] = {}
}
    with(a) f()
} catch(exc1) {}
evaluate("f({});");
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 1

5 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   103051:bf07c6253287
user:        Brian Hackett
date:        Wed Aug 22 12:28:34 2012 -0600
summary:     Allow purging analysis-temporary while retaining jitcode, bug 778724. r=luke
(Reporter)

Comment 2

5 years ago
CCing bhackett and luke by comment 1.
(Assignee)

Updated

5 years ago
Group: core-security
(Assignee)

Comment 3

5 years ago
Created attachment 655357 [details] [diff] [review]
patch

Bug 778724 is innocent here, the different recompilation pattern it introduces exposed the bug.  This is a regression from bug 731398; this bug allows initializers in run-once scripts to produce objects with singleton type, which TI will not try to guess at the result until the initializer actually runs.  But JM will still treat these opcodes as definitely producing objects, a refinement of the type information which it shouldn't be doing.
Assignee: general → bhackett1024
Attachment #655357 - Flags: review?(dvander)
Attachment #655357 - Flags: review?(dvander) → review+
status-firefox-esr10: --- → unaffected
status-firefox15: --- → wontfix
status-firefox16: --- → affected
status-firefox17: --- → affected
status-firefox18: --- → affected
Keywords: sec-critical
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/1dce4807ad01
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
(Reporter)

Comment 5

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1b0b56afa33a).

Comment 6

5 years ago
https://hg.mozilla.org/mozilla-central/rev/1dce4807ad01
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox18: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Comment 7

5 years ago
JSBugMon: This bug has been automatically verified fixed.
Confirmed assert on 2012-8-24, nightly jsshell

I can confirm fixed (or unable to reproduce) on jsshell for beta/Aurora/nightly, 2012-11-20. However, above comments say it was only fixed for 18. 

Is this correct? What would we expect to see here?
Assuming affected for 17 - decoder, do you mind rechecking if 17 is still affected?

(wontfix'ing for 16 since 17 is out of the door)
status-firefox16: affected → wontfix
status-firefox19: --- → fixed
status-firefox20: --- → fixed
status-firefox-esr17: --- → affected
Flags: needinfo?(choller)
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:verify-branch=mozilla-release]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:verify-branch=mozilla-release] → [jsbugmon:verify-branch=mozilla-release,ignore]
(Reporter)

Comment 10

5 years ago
JSBugMon: This bug has been automatically confirmed to be still valid on branch mozilla-release  (reproduced on revision 53fc01ba93c2).
Flags: needinfo?(choller)
tracking-firefox-esr17: --- → ?
(Reporter)

Comment 11

5 years ago
Also trying to confirm for ESR17 branch.
Whiteboard: [jsbugmon:verify-branch=mozilla-release,ignore] → [jsbugmon:verify-branch=mozilla-esr17]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:verify-branch=mozilla-esr17] → [jsbugmon:verify-branch=mozilla-esr17,ignore]
(Reporter)

Comment 12

5 years ago
JSBugMon: This bug has been automatically confirmed to be still valid on branch mozilla-esr17  (reproduced on revision 30b9dd4e9966).
Tracking for ESR 17 that will ship with Firefox 18 - can someone please nominate for esr17 approval (assuming this patch lands cleanly there) or prepare an esr17 patch?
tracking-firefox-esr17: ? → 18+
(Assignee)

Comment 14

5 years ago
Comment on attachment 655357 [details] [diff] [review]
patch

[Approval Request Comment]
Fix Landed on Version: 18
Risk to taking this patch (and alternatives if risky): None
Attachment #655357 - Flags: approval-mozilla-esr17?
Attachment #655357 - Flags: approval-mozilla-esr17? → approval-mozilla-esr17+
Keywords: checkin-needed
https://hg.mozilla.org/releases/mozilla-esr17/rev/7b48b8242078
status-firefox17: affected → wontfix
status-firefox-esr17: affected → fixed
Keywords: checkin-needed
Whiteboard: [jsbugmon:verify-branch=mozilla-esr17,ignore] → [jsbugmon:verify-branch=mozilla-esr17,ignore][adv-main18+][adv-esr17+]
Can this be put in testsuite?
Flags: in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.